本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用 IAM
本節提供使用 適用於 Java 的 AWS SDK 2.x 進行程式設計 AWS Identity and Access Management (IAM) 的範例。
AWS Identity and Access Management (IAM) 可讓您安全地控制使用者對 AWS 服務和資源的存取。使用 IAM,您可以建立和管理 AWS 使用者和群組,並使用許可來允許和拒絕其對 AWS 資源的存取。如需 的完整指南 IAM,請造訪 [IAM 使用者指南](https://docs.aws.amazon.com//IAM/latest/UserGuide/introduction.html)。
下列範例僅包含示範每個技術所需的程式碼。[GitHub 上提供完整程式碼範例](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2)。您可以從那裡下載單一原始檔案或將儲存庫複製到本機,以取得建置和執行的所有範例。
**Topics**
+ [管理 IAM 存取金鑰](examples-iam-access-keys.md)
+ [管理 IAM 使用者](examples-iam-users.md)
+ [建立 IAM 政策](feature-iam-policy-builder.md)
+ [使用 IAM 政策](examples-iam-policies.md)
+ [使用 IAM 伺服器憑證](examples-iam-server-certificates.md)
# 管理 IAM 存取金鑰
## 建立存取金鑰
若要建立 IAM 存取金鑰,請使用 [https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/CreateAccessKeyRequest.html](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/CreateAccessKeyRequest.html) 物件呼叫 `IamClient’s``createAccessKey`方法。
**注意**
您必須將區域設定為 **AWS\$1GLOBAL**,`IamClient`呼叫才能運作,因為 IAM 是全域服務。
**匯入**
```
import software.amazon.awssdk.services.iam.model.CreateAccessKeyRequest;
import software.amazon.awssdk.services.iam.model.CreateAccessKeyResponse;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
```
**Code**
```
public static String createIAMAccessKey(IamClient iam,String user) {
try {
CreateAccessKeyRequest request = CreateAccessKeyRequest.builder()
.userName(user).build();
CreateAccessKeyResponse response = iam.createAccessKey(request);
String keyId = response.accessKey().accessKeyId();
return keyId;
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/f807d60010caf3d14fe4cd0801b842fb8e9511ca/javav2/example_code/iam/src/main/java/com/example/iam/CreateAccessKey.java)。
## 列出存取金鑰
若要列出指定使用者的存取金鑰,請建立包含要列出金鑰之使用者名稱的[https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/ListAccessKeysRequest.html](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/ListAccessKeysRequest.html)物件,並將其傳遞給 `IamClient’s``listAccessKeys`方法。
**注意**
如果您未提供使用者名稱給 `listAccessKeys`,則會嘗試列出與簽署請求 AWS 帳戶 之 相關聯的存取金鑰。
**匯入**
```
import software.amazon.awssdk.services.iam.model.AccessKeyMetadata;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.ListAccessKeysRequest;
import software.amazon.awssdk.services.iam.model.ListAccessKeysResponse;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
```
**Code**
```
public static void listKeys( IamClient iam,String userName ){
try {
boolean done = false;
String newMarker = null;
while (!done) {
ListAccessKeysResponse response;
if(newMarker == null) {
ListAccessKeysRequest request = ListAccessKeysRequest.builder()
.userName(userName).build();
response = iam.listAccessKeys(request);
} else {
ListAccessKeysRequest request = ListAccessKeysRequest.builder()
.userName(userName)
.marker(newMarker).build();
response = iam.listAccessKeys(request);
}
for (AccessKeyMetadata metadata :
response.accessKeyMetadata()) {
System.out.format("Retrieved access key %s",
metadata.accessKeyId());
}
if (!response.isTruncated()) {
done = true;
} else {
newMarker = response.marker();
}
}
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
`listAccessKeys` 的結果會分頁 (每個呼叫預設最多 100 個記錄)。您可以在傳回的[https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/ListAccessKeysResponse.html](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/ListAccessKeysResponse.html)物件`isTruncated`上呼叫 ,以查看查詢是否傳回較少的結果,然後可用。若是如此,請在 `marker` 上呼叫 `ListAccessKeysResponse`,並將它用於建立新的請求。在下次呼叫 `listAccessKeys` 時使用該新的請求。
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/f807d60010caf3d14fe4cd0801b842fb8e9511ca/javav2/example_code/iam/src/main/java/com/example/iam/ListAccessKeys.java)。
## 擷取上次使用存取金鑰的時間
若要取得上次使用存取金鑰的時間,請使用存取金鑰的 ID 呼叫 `IamClient’s``getAccessKeyLastUsed`方法 (可以使用 [https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/GetAccessKeyLastUsedRequest.html](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/GetAccessKeyLastUsedRequest.html) 物件傳入。
然後,您可以使用傳回的[https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/GetAccessKeyLastUsedResponse.html](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/GetAccessKeyLastUsedResponse.html)物件來擷取金鑰的上次使用時間。
**匯入**
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.GetAccessKeyLastUsedRequest;
import software.amazon.awssdk.services.iam.model.GetAccessKeyLastUsedResponse;
import software.amazon.awssdk.services.iam.model.IamException;
```
**Code**
```
public static void getAccessKeyLastUsed(IamClient iam, String accessId ){
try {
GetAccessKeyLastUsedRequest request = GetAccessKeyLastUsedRequest.builder()
.accessKeyId(accessId).build();
GetAccessKeyLastUsedResponse response = iam.getAccessKeyLastUsed(request);
System.out.println("Access key was last used at: " +
response.accessKeyLastUsed().lastUsedDate());
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
System.out.println("Done");
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/f807d60010caf3d14fe4cd0801b842fb8e9511ca/javav2/example_code/iam/src/main/java/com/example/iam/AccessKeyLastUsed.java)。
## 啟用或停用存取金鑰
您可以透過建立 [https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/UpdateAccessKeyRequest.html](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/UpdateAccessKeyRequest.html) 物件、提供存取金鑰 ID、選擇性的使用者名稱和所需的 來啟用或停用存取金鑰[https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/StatusType.html](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/StatusType.html),然後將請求物件傳遞給 `IamClient’s``updateAccessKey`方法。
**匯入**
```
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.StatusType;
import software.amazon.awssdk.services.iam.model.UpdateAccessKeyRequest;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
```
**Code**
```
public static void updateKey(IamClient iam, String username, String accessId, String status ) {
try {
if (status.toLowerCase().equalsIgnoreCase("active")) {
statusType = StatusType.ACTIVE;
} else if (status.toLowerCase().equalsIgnoreCase("inactive")) {
statusType = StatusType.INACTIVE;
} else {
statusType = StatusType.UNKNOWN_TO_SDK_VERSION;
}
UpdateAccessKeyRequest request = UpdateAccessKeyRequest.builder()
.accessKeyId(accessId)
.userName(username)
.status(statusType)
.build();
iam.updateAccessKey(request);
System.out.printf(
"Successfully updated the status of access key %s to" +
"status %s for user %s", accessId, status, username);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/f807d60010caf3d14fe4cd0801b842fb8e9511ca/javav2/example_code/iam/src/main/java/com/example/iam/UpdateAccessKey.java)。
## 刪除存取金鑰
若要永久刪除存取金鑰,請呼叫 `IamClient’s``deleteKey`方法,提供[https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/DeleteAccessKeyRequest.html](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/DeleteAccessKeyRequest.html)包含存取金鑰 ID 和使用者名稱的 。
**注意**
金鑰一旦刪除,就不能再擷取或使用。若要暫時停用金鑰以便稍後再次啟用,請改用 [`updateAccessKey`](#iam-access-keys-update)方法。
**匯入**
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.DeleteAccessKeyRequest;
import software.amazon.awssdk.services.iam.model.IamException;
```
**Code**
```
public static void deleteKey(IamClient iam ,String username, String accessKey ) {
try {
DeleteAccessKeyRequest request = DeleteAccessKeyRequest.builder()
.accessKeyId(accessKey)
.userName(username)
.build();
iam.deleteAccessKey(request);
System.out.println("Successfully deleted access key " + accessKey +
" from user " + username);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/f807d60010caf3d14fe4cd0801b842fb8e9511ca/javav2/example_code/iam/src/main/java/com/example/iam/DeleteAccessKey.java)。
## 其他資訊
+ IAM API 參考中的 [CreateAccessKey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html)
+ IAM API 參考中的 [ListAccessKeys](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html)
+ 《 IAM API 參考》中的 [GetAccessKeyLastUsed](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccessKeyLastUsed.html)
+ IAM API 參考中的 [UpdateAccessKey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html)
+ IAM API 參考中的 [DeleteAccessKey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccessKey.html)
# 管理 IAM 使用者
## 建立使用者
使用包含使用者名稱的 [CreateUserRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/CreateUserRequest.html) 物件,將使用者名稱 IAM 提供給 IamClient 的 `createUser`方法,以建立新的使用者。
**匯入**
```
import software.amazon.awssdk.core.waiters.WaiterResponse;
import software.amazon.awssdk.services.iam.model.CreateUserRequest;
import software.amazon.awssdk.services.iam.model.CreateUserResponse;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.waiters.IamWaiter;
import software.amazon.awssdk.services.iam.model.GetUserRequest;
import software.amazon.awssdk.services.iam.model.GetUserResponse;
```
**Code**
```
public static String createIAMUser(IamClient iam, String username ) {
try {
// Create an IamWaiter object
IamWaiter iamWaiter = iam.waiter();
CreateUserRequest request = CreateUserRequest.builder()
.userName(username)
.build();
CreateUserResponse response = iam.createUser(request);
// Wait until the user is created
GetUserRequest userRequest = GetUserRequest.builder()
.userName(response.user().userName())
.build();
WaiterResponse waitUntilUserExists = iamWaiter.waitUntilUserExists(userRequest);
waitUntilUserExists.matched().response().ifPresent(System.out::println);
return response.user().userName();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/cf25559da654a7b74bec039c0ab9397dc5951dd4/javav2/example_code/iam/src/main/java/com/example/iam/CreateUser.java)。
## 列出 使用者
若要列出您帳戶 IAM 的使用者,請建立新的 [ListUsersRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/ListUsersRequest.html),並將其傳遞給 IamClient 的 `listUsers`方法。您可以透過在傳回的 `users`ListUsersResponse[ 物件上呼叫 ](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/ListUsersResponse.html),來擷取使用者清單。
`listUsers` 傳回的使用者清單會分頁。您可以呼叫回應物件的 `isTruncated` 方法,檢查是否有更多可擷取的結果。如果傳回 `true`,則請呼叫回應物件的 `marker()` 方法。使用標記值來建立新的請求物件。然後以新的請求再次呼叫 `listUsers` 方法。
**匯入**
```
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.ListUsersRequest;
import software.amazon.awssdk.services.iam.model.ListUsersResponse;
import software.amazon.awssdk.services.iam.model.User;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
```
**Code**
```
public static void listAllUsers(IamClient iam ) {
try {
boolean done = false;
String newMarker = null;
while(!done) {
ListUsersResponse response;
if (newMarker == null) {
ListUsersRequest request = ListUsersRequest.builder().build();
response = iam.listUsers(request);
} else {
ListUsersRequest request = ListUsersRequest.builder()
.marker(newMarker).build();
response = iam.listUsers(request);
}
for(User user : response.users()) {
System.out.format("\n Retrieved user %s", user.userName());
}
if(!response.isTruncated()) {
done = true;
} else {
newMarker = response.marker();
}
}
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/cf25559da654a7b74bec039c0ab9397dc5951dd4/javav2/example_code/iam/src/main/java/com/example/iam/ListUsers.java)。
## 更新使用者
若要更新使用者,請呼叫 IamClient 物件的 `updateUser`方法,該方法採用 [UpdateUserRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/UpdateUserRequest.html) 物件,您可以使用該物件來變更使用者名稱**或*路徑*。
**匯入**
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.UpdateUserRequest;
```
**Code**
```
public static void updateIAMUser(IamClient iam, String curName,String newName ) {
try {
UpdateUserRequest request = UpdateUserRequest.builder()
.userName(curName)
.newUserName(newName)
.build();
iam.updateUser(request);
System.out.printf("Successfully updated user to username %s",
newName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/cf25559da654a7b74bec039c0ab9397dc5951dd4/javav2/example_code/iam/src/main/java/com/example/iam/UpdateUser.java)。
## 刪除使用者
若要刪除使用者,請使用 [UpdateUserRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/UpdateUserRequest.html) 物件集呼叫 IamClient 的`deleteUser`請求,並設定要刪除的使用者名稱。
**匯入**
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.DeleteUserRequest;
import software.amazon.awssdk.services.iam.model.IamException;
```
**Code**
```
public static void deleteIAMUser(IamClient iam, String userName) {
try {
DeleteUserRequest request = DeleteUserRequest.builder()
.userName(userName)
.build();
iam.deleteUser(request);
System.out.println("Successfully deleted IAM user " + userName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/cf25559da654a7b74bec039c0ab9397dc5951dd4/javav2/example_code/iam/src/main/java/com/example/iam/DeleteUser.java)。
## 詳細資訊
+ 《 使用者指南[IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)》中的 IAM 使用者
+ IAM 《 使用者指南》中的[管理 IAM 使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html)
+ IAM API 參考中的 [CreateUser](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html)
+ IAM API 參考中的 [ListUsers](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUsers.html)
+ IAM API 參考中的 [UpdateUser](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateUser.html)
+ IAM API 參考中的 [DeleteUser](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUser.html)
# 使用 建立 IAM 政策 AWS SDK for Java 2.x
[IAM 政策建置器 API](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/policybuilder/iam/package-summary.html) 是一個程式庫,可用於在 Java 中建置 [IAM 政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)並將其上傳至 AWS Identity and Access Management (IAM)。
API 提供用戶端、物件導向方法來產生 JSON 字串,而不是透過手動組合 JSON 字串或讀取檔案來建置 IAM 政策。當您讀取 JSON 格式的現有 IAM 政策時,API 會將其轉換為 [IamPolicy](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/policybuilder/iam/IamPolicy.html) 執行個體進行處理。
IAM 政策建置器 API 隨 SDK 2.20.105 版推出,因此請在 Maven 建置檔案中使用該版本或更新版本。開發套件的最新版本編號[列於 Maven 中央](https://central.sonatype.com/artifact/software.amazon.awssdk/iam-policy-builder)。
下列程式碼片段顯示 Maven `pom.xml` 檔案的範例相依性區塊。這可讓您在專案中使用 IAM 政策建置器 API。
```
software.amazon.awssdk
iam-policy-builder
2.27.21
```
## 建立 `IamPolicy`
本節顯示數個如何使用 IAM 政策建置器 API 建置政策的範例。
在下列每個範例中,從 開始`[IamPolicy.Builder](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/policybuilder/iam/IamPolicy.Builder.html)`,並使用 `addStatement`方法新增一或多個陳述式。在此模式之後,[IamStatement.Builder](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/policybuilder/iam/IamStatement.Builder.html) 具有將效果、動作、資源和條件新增至陳述式的方法。
### 範例:建立以時間為基礎的政策
下列範例會建立身分型政策,允許在兩個時間點之間執行 Amazon DynamoDB `GetItem`動作。
```
public String timeBasedPolicyExample() {
IamPolicy policy = IamPolicy.builder()
.addStatement(b -> b
.effect(IamEffect.ALLOW)
.addAction("dynamodb:GetItem")
.addResource(IamResource.ALL)
.addCondition(b1 -> b1
.operator(IamConditionOperator.DATE_GREATER_THAN)
.key("aws:CurrentTime")
.value("2020-04-01T00:00:00Z"))
.addCondition(b1 -> b1
.operator(IamConditionOperator.DATE_LESS_THAN)
.key("aws:CurrentTime")
.value("2020-06-30T23:59:59Z")))
.build();
// Use an IamPolicyWriter to write out the JSON string to a more readable format.
return policy.toJson(IamPolicyWriter.builder()
.prettyPrint(true)
.build());
}
```
#### JSON 輸出
上一個範例中的最後一個陳述式會傳回下列 JSON 字串。
閱讀*AWS Identity and Access Management 《 使用者指南*》中有關此[範例](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws-dates.html)的詳細資訊。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "dynamodb:GetItem",
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2020-04-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2020-06-30T23:59:59Z"
}
}
}
}
```
------
### 範例:指定多個條件
下列範例示範如何建立身分型政策,允許存取特定 DynamoDB 屬性。政策包含兩個條件。
```
public String multipleConditionsExample() {
IamPolicy policy = IamPolicy.builder()
.addStatement(b -> b
.effect(IamEffect.ALLOW)
.addAction("dynamodb:GetItem")
.addAction("dynamodb:BatchGetItem")
.addAction("dynamodb:Query")
.addAction("dynamodb:PutItem")
.addAction("dynamodb:UpdateItem")
.addAction("dynamodb:DeleteItem")
.addAction("dynamodb:BatchWriteItem")
.addResource("arn:aws:dynamodb:*:*:table/table-name")
.addConditions(IamConditionOperator.STRING_EQUALS.addPrefix("ForAllValues:"),
"dynamodb:Attributes",
List.of("column-name1", "column-name2", "column-name3"))
.addCondition(b1 -> b1.operator(IamConditionOperator.STRING_EQUALS.addSuffix("IfExists"))
.key("dynamodb:Select")
.value("SPECIFIC_ATTRIBUTES")))
.build();
return policy.toJson(IamPolicyWriter.builder()
.prettyPrint(true).build());
}
```
#### JSON 輸出
上一個範例中的最後一個陳述式會傳回下列 JSON 字串。
閱讀*AWS Identity and Access Management 《 使用者指南*》中有關此[範例](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_attributes.html)的詳細資訊。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": "arn:aws:dynamodb:*:*:table/table-name",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": [
"column-name1",
"column-name2",
"column-name3"
]
},
"StringEqualsIfExists": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
}
}
```
------
### 範例:指定主體
下列範例示範如何建立以資源為基礎的政策,拒絕存取條件中指定的所有主體的儲存貯體。
```
public String specifyPrincipalsExample() {
IamPolicy policy = IamPolicy.builder()
.addStatement(b -> b
.effect(IamEffect.DENY)
.addAction("s3:*")
.addPrincipal(IamPrincipal.ALL)
.addResource("arn:aws:s3:::BUCKETNAME/*")
.addResource("arn:aws:s3:::BUCKETNAME")
.addCondition(b1 -> b1
.operator(IamConditionOperator.ARN_NOT_EQUALS)
.key("aws:PrincipalArn")
.value("arn:aws:iam::444455556666:user/user-name")))
.build();
return policy.toJson(IamPolicyWriter.builder()
.prettyPrint(true).build());
}
```
#### JSON 輸出
上一個範例中的最後一個陳述式會傳回下列 JSON 字串。
閱讀*AWS Identity and Access Management 《 使用者指南*》中有關此[範例](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous)的詳細資訊。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : {
"Effect" : "Deny",
"Principal" : "*",
"Action" : "s3:*",
"Resource" : [ "arn:aws:s3:::BUCKETNAME/*", "arn:aws:s3:::BUCKETNAME" ],
"Condition" : {
"ArnNotEquals" : {
"aws:PrincipalArn" : "arn:aws:iam::444455556666:user/user-name"
}
}
}
}
```
------
### 範例:允許跨帳戶存取
下列範例顯示如何允許另一個 AWS 帳戶 將物件上傳至您的儲存貯體,同時保留已上傳物件的完整擁有者控制。
```
public String allowCrossAccountAccessExample() {
IamPolicy policy = IamPolicy.builder()
.addStatement(b -> b
.effect(IamEffect.ALLOW)
.addPrincipal(IamPrincipalType.AWS, "111122223333")
.addAction("s3:PutObject")
.addResource("arn:aws:s3:::amzn-s3-demo-bucket/*")
.addCondition(b1 -> b1
.operator(IamConditionOperator.STRING_EQUALS)
.key("s3:x-amz-acl")
.value("bucket-owner-full-control")))
.build();
return policy.toJson(IamPolicyWriter.builder()
.prettyPrint(true).build());
}
```
#### JSON 輸出
上一個範例中的最後一個陳述式會傳回下列 JSON 字串。
閱讀《*Amazon Simple Storage Service 使用者指南*》中有關此[範例](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-acl-2)的詳細資訊。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : {
"Effect" : "Allow",
"Principal" : {
"AWS" : "111122223333"
},
"Action" : "s3:PutObject",
"Resource" : "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition" : {
"StringEquals" : {
"s3:x-amz-acl" : "bucket-owner-full-control"
}
}
}
}
```
------
## `IamPolicy` 搭配 IAM 使用
建立`IamPolicy`執行個體之後,您可以使用 [https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/IamClient.html](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/IamClient.html) 來使用 IAM 服務。
下列範例會建置政策,允許 [IAM 身分](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html)將項目寫入使用 `accountID` 參數指定的帳戶中的 DynamoDB 資料表。然後,政策會以 JSON 字串的形式上傳至 IAM。
```
public String createAndUploadPolicyExample(IamClient iam, String accountID, String policyName) {
// Build the policy.
IamPolicy policy =
IamPolicy.builder() // 'version' defaults to "2012-10-17".
.addStatement(IamStatement.builder()
.effect(IamEffect.ALLOW)
.addAction("dynamodb:PutItem")
.addResource("arn:aws:dynamodb:us-east-1:" + accountID + ":table/exampleTableName")
.build())
.build();
// Upload the policy.
iam.createPolicy(r -> r.policyName(policyName).policyDocument(policy.toJson()));
return policy.toJson(IamPolicyWriter.builder().prettyPrint(true).build());
}
```
下一個範例以先前的範例為基礎。程式碼會下載政策,並透過複製和修改陳述式,將其用作新政策的基礎。然後上傳新的政策。
```
public String createNewBasedOnExistingPolicyExample(IamClient iam, String accountID, String policyName, String newPolicyName) {
String policyArn = "arn:aws:iam::" + accountID + ":policy/" + policyName;
GetPolicyResponse getPolicyResponse = iam.getPolicy(r -> r.policyArn(policyArn));
String policyVersion = getPolicyResponse.policy().defaultVersionId();
GetPolicyVersionResponse getPolicyVersionResponse =
iam.getPolicyVersion(r -> r.policyArn(policyArn).versionId(policyVersion));
// Create an IamPolicy instance from the JSON string returned from IAM.
String decodedPolicy = URLDecoder.decode(getPolicyVersionResponse.policyVersion().document(), StandardCharsets.UTF_8);
IamPolicy policy = IamPolicy.fromJson(decodedPolicy);
/*
All IamPolicy components are immutable, so use the copy method that creates a new instance that
can be altered in the same method call.
Add the ability to get an item from DynamoDB as an additional action.
*/
IamStatement newStatement = policy.statements().get(0).copy(s -> s.addAction("dynamodb:GetItem"));
// Create a new statement that replaces the original statement.
IamPolicy newPolicy = policy.copy(p -> p.statements(Arrays.asList(newStatement)));
// Upload the new policy. IAM now has both policies.
iam.createPolicy(r -> r.policyName(newPolicyName)
.policyDocument(newPolicy.toJson()));
return newPolicy.toJson(IamPolicyWriter.builder().prettyPrint(true).build());
}
```
### IamClient
上述範例使用建立的 `IamClient` 引數,如下列程式碼片段所示。
```
IamClient iam = IamClient.builder().region(Region.AWS_GLOBAL).build();
```
### JSON 中的政策
這些範例會傳回下列 JSON 字串。
```
First example
{
"Version": "2012-10-17",
"Statement" : {
"Effect" : "Allow",
"Action" : "dynamodb:PutItem",
"Resource" : "arn:aws:dynamodb:us-east-1:111122223333:table/exampleTableName"
}
}
Second example
{
"Version": "2012-10-17",
"Statement" : {
"Effect" : "Allow",
"Action" : [ "dynamodb:PutItem", "dynamodb:GetItem" ],
"Resource" : "arn:aws:dynamodb:us-east-1:111122223333:table/exampleTableName"
}
}
```
# 使用 IAM 政策
## 建立政策
若要建立新的政策,請在 [CreatePolicyRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/CreatePolicyRequest.html) 中提供政策的名稱和 JSON 格式的政策文件給 IamClient 的 `createPolicy`方法。
**匯入**
```
import software.amazon.awssdk.core.waiters.WaiterResponse;
import software.amazon.awssdk.services.iam.model.CreatePolicyRequest;
import software.amazon.awssdk.services.iam.model.CreatePolicyResponse;
import software.amazon.awssdk.services.iam.model.GetPolicyRequest;
import software.amazon.awssdk.services.iam.model.GetPolicyResponse;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.waiters.IamWaiter;
```
**Code**
```
public static String createIAMPolicy(IamClient iam, String policyName ) {
try {
// Create an IamWaiter object
IamWaiter iamWaiter = iam.waiter();
CreatePolicyRequest request = CreatePolicyRequest.builder()
.policyName(policyName)
.policyDocument(PolicyDocument).build();
CreatePolicyResponse response = iam.createPolicy(request);
// Wait until the policy is created
GetPolicyRequest polRequest = GetPolicyRequest.builder()
.policyArn(response.policy().arn())
.build();
WaiterResponse waitUntilPolicyExists = iamWaiter.waitUntilPolicyExists(polRequest);
waitUntilPolicyExists.matched().response().ifPresent(System.out::println);
return response.policy().arn();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "" ;
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/e41bacfd5e671e7ef1a9f73e972540dc6a434664/javav2/example_code/iam/src/main/java/com/example/iam/CreatePolicy.java)。
## 取得政策
若要擷取現有政策,請呼叫 IamClient 的 `getPolicy`方法,在 [GetPolicyRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/GetPolicyRequest.html) 物件中提供政策的 ARN。
**匯入**
```
import software.amazon.awssdk.services.iam.model.GetPolicyRequest;
import software.amazon.awssdk.services.iam.model.GetPolicyResponse;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
```
**Code**
```
public static void getIAMPolicy(IamClient iam, String policyArn) {
try {
GetPolicyRequest request = GetPolicyRequest.builder()
.policyArn(policyArn).build();
GetPolicyResponse response = iam.getPolicy(request);
System.out.format("Successfully retrieved policy %s",
response.policy().policyName());
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/cf25559da654a7b74bec039c0ab9397dc5951dd4/javav2/example_code/iam/src/main/java/com/example/iam/GetPolicy.java)。
## 連接角色政策
您可以透過呼叫 IamClient 的 `attachRolePolicy`方法,在 [AttachRolePolicyRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/AttachRolePolicyRequest.html) 中為其提供角色名稱和政策 ARN,[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)將政策 IAM 連接到角色。
**匯入**
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest;
import software.amazon.awssdk.services.iam.model.AttachedPolicy;
import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest;
import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse;
import java.util.List;
```
**Code**
```
public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn ) {
try {
ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder()
.roleName(roleName)
.build();
ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request);
List attachedPolicies = response.attachedPolicies();
// Ensure that the policy is not attached to this role
String polArn = "";
for (AttachedPolicy policy: attachedPolicies) {
polArn = policy.policyArn();
if (polArn.compareTo(policyArn)==0) {
System.out.println(roleName +
" policy is already attached to this role.");
return;
}
}
AttachRolePolicyRequest attachRequest =
AttachRolePolicyRequest.builder()
.roleName(roleName)
.policyArn(policyArn)
.build();
iam.attachRolePolicy(attachRequest);
System.out.println("Successfully attached policy " + policyArn +
" to role " + roleName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
System.out.println("Done");
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/cf25559da654a7b74bec039c0ab9397dc5951dd4/javav2/example_code/iam/src/main/java/com/example/iam/AttachRolePolicy.java)。
## 列出連接的角色政策
呼叫 IamClient 的 `listAttachedRolePolicies`方法,列出角色上的附加政策。它採用 [ListAttachedRolePoliciesRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/ListAttachedRolePoliciesRequest.html) 物件,其中包含要列出其政策的角色名稱。
在傳回的 [ListAttachedRolePoliciesResponse](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/ListAttachedRolePoliciesResponse.html) 物件`getAttachedPolicies`上呼叫 ,以取得連接的政策清單。結果可能會被截斷;如果 `ListAttachedRolePoliciesResponse` 物件的 `isTruncated` 方法傳回 `true`,請呼叫 `ListAttachedRolePoliciesResponse` 物件的 `marker` 方法。使用傳回的標記來建立新的請求,並使用它再次呼叫 `listAttachedRolePolicies` 以取得下一個結果批次。
**匯入**
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest;
import software.amazon.awssdk.services.iam.model.AttachedPolicy;
import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest;
import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse;
import java.util.List;
```
**Code**
```
public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn ) {
try {
ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder()
.roleName(roleName)
.build();
ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request);
List attachedPolicies = response.attachedPolicies();
// Ensure that the policy is not attached to this role
String polArn = "";
for (AttachedPolicy policy: attachedPolicies) {
polArn = policy.policyArn();
if (polArn.compareTo(policyArn)==0) {
System.out.println(roleName +
" policy is already attached to this role.");
return;
}
}
AttachRolePolicyRequest attachRequest =
AttachRolePolicyRequest.builder()
.roleName(roleName)
.policyArn(policyArn)
.build();
iam.attachRolePolicy(attachRequest);
System.out.println("Successfully attached policy " + policyArn +
" to role " + roleName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
System.out.println("Done");
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/cf25559da654a7b74bec039c0ab9397dc5951dd4/javav2/example_code/iam/src/main/java/com/example/iam/AttachRolePolicy.java)。
## 分開角色政策
若要從角色分離政策,請呼叫 IamClient 的 `detachRolePolicy`方法,在 [DetachRolePolicyRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/DetachRolePolicyRequest.html) 中提供角色名稱和政策 ARN。
**匯入**
```
import software.amazon.awssdk.services.iam.model.DetachRolePolicyRequest;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
```
**Code**
```
public static void detachPolicy(IamClient iam, String roleName, String policyArn ) {
try {
DetachRolePolicyRequest request = DetachRolePolicyRequest.builder()
.roleName(roleName)
.policyArn(policyArn)
.build();
iam.detachRolePolicy(request);
System.out.println("Successfully detached policy " + policyArn +
" from role " + roleName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/cf25559da654a7b74bec039c0ab9397dc5951dd4/javav2/example_code/iam/src/main/java/com/example/iam/DetachRolePolicy.java)。
## 其他資訊
+ IAM 《 使用者指南》中的[IAM 政策概觀](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ IAM 《 使用者指南》中的 [AWS IAM 政策參考](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html)。
+ IAM API 參考中的 [CreatePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html)
+ IAM API 參考中的 [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html)
+ IAM API 參考中的 [AttachRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html)
+ IAM API 參考中的 [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html)
+ 《 IAM API 參考》中的 [DetachRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html)
# 使用 IAM 伺服器憑證
若要啟用網站或應用程式的 HTTPS 連線 AWS,您需要 SSL/TLS *伺服器憑證*。您可以使用 提供的伺服器憑證, AWS Certificate Manager 或是從外部供應商取得的憑證。
建議您使用 ACM 來佈建、管理和部署伺服器憑證。透過 ACM ,您可以請求憑證、將其部署到您的 AWS 資源,並讓 為您 ACM 處理憑證續約。提供的憑證 ACM 是免費的。如需 的詳細資訊 ACM,請參閱[AWS Certificate Manager 《 使用者指南》](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html)。
## 取得伺服器憑證
您可以透過呼叫 IamClient 的 `getServerCertificate`方法來擷取伺服器憑證,並使用憑證的名稱傳遞 [GetServerCertificateRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/GetServerCertificateRequest.html)。
**匯入**
```
import software.amazon.awssdk.services.iam.model.GetServerCertificateRequest;
import software.amazon.awssdk.services.iam.model.GetServerCertificateResponse;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
```
**Code**
```
public static void getCertificate(IamClient iam,String certName ) {
try {
GetServerCertificateRequest request = GetServerCertificateRequest.builder()
.serverCertificateName(certName)
.build();
GetServerCertificateResponse response = iam.getServerCertificate(request);
System.out.format("Successfully retrieved certificate with body %s",
response.serverCertificate().certificateBody());
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/0b1785e42949ebf959eaa0f0da4dc2a48f92ea25/javav2/example_code/iam/src/main/java/com/example/iam/GetServerCertificate.java)。
## 列出伺服器憑證
若要列出您的伺服器憑證,請使用 [ListServerCertificatesRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/ListServerCertificatesRequest.html) 呼叫 IamClient 的 `listServerCertificates`方法。它會傳回 [ListServerCertificatesResponse](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/ListServerCertificatesResponse.html)。
呼叫傳回 `ListServerCertificateResponse` 物件的 `serverCertificateMetadataList` 方法以取得 [ServerCertificateMetadata](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/ServerCertificateMetadata.html) 物件的清單,您可以用來取得每個憑證的相關資訊。
結果可能遭到截斷;如果 `ListServerCertificateResponse` 物件的 `isTruncated` 方法傳回 `true`,請呼叫 `ListServerCertificatesResponse` 物件的 `marker` 方法並使用標記來建立新的請求。使用新的請求再次呼叫 `listServerCertificates`,以取得下一個結果批次。
**匯入**
```
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.ListServerCertificatesRequest;
import software.amazon.awssdk.services.iam.model.ListServerCertificatesResponse;
import software.amazon.awssdk.services.iam.model.ServerCertificateMetadata;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
```
**Code**
```
public static void listCertificates(IamClient iam) {
try {
boolean done = false;
String newMarker = null;
while(!done) {
ListServerCertificatesResponse response;
if (newMarker == null) {
ListServerCertificatesRequest request =
ListServerCertificatesRequest.builder().build();
response = iam.listServerCertificates(request);
} else {
ListServerCertificatesRequest request =
ListServerCertificatesRequest.builder()
.marker(newMarker).build();
response = iam.listServerCertificates(request);
}
for(ServerCertificateMetadata metadata :
response.serverCertificateMetadataList()) {
System.out.printf("Retrieved server certificate %s",
metadata.serverCertificateName());
}
if(!response.isTruncated()) {
done = true;
} else {
newMarker = response.marker();
}
}
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/0b1785e42949ebf959eaa0f0da4dc2a48f92ea25/javav2/example_code/iam/src/main/java/com/example/iam/ListServerCertificates.java)。
## 更新伺服器憑證
您可以透過呼叫 IamClient 的 `updateServerCertificate`方法來更新伺服器憑證的名稱或路徑。它需要設定 [UpdateServerCertificateRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/UpdateServerCertificateRequest.html) 物件,並搭配伺服器憑證的目前名稱以及要使用的新名稱或新路徑。
**匯入**
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.UpdateServerCertificateRequest;
import software.amazon.awssdk.services.iam.model.UpdateServerCertificateResponse;
```
**Code**
```
public static void updateCertificate(IamClient iam, String curName, String newName) {
try {
UpdateServerCertificateRequest request =
UpdateServerCertificateRequest.builder()
.serverCertificateName(curName)
.newServerCertificateName(newName)
.build();
UpdateServerCertificateResponse response =
iam.updateServerCertificate(request);
System.out.printf("Successfully updated server certificate to name %s",
newName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/0b1785e42949ebf959eaa0f0da4dc2a48f92ea25/javav2/example_code/iam/src/main/java/com/example/iam/UpdateServerCertificate.java)。
## 刪除伺服器憑證
若要刪除伺服器憑證,請使用包含憑證名稱的 [DeleteServerCertificateRequest](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iam/model/DeleteServerCertificateRequest.html) 呼叫 IamClient 的 `deleteServerCertificate`方法。
**匯入**
```
import software.amazon.awssdk.services.iam.model.DeleteServerCertificateRequest;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
```
**Code**
```
public static void deleteCert(IamClient iam,String certName ) {
try {
DeleteServerCertificateRequest request =
DeleteServerCertificateRequest.builder()
.serverCertificateName(certName)
.build();
iam.deleteServerCertificate(request);
System.out.println("Successfully deleted server certificate " +
certName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
請參閱 GitHub 上的[完整範例](https://github.com/awsdocs/aws-doc-sdk-examples/blob/0b1785e42949ebf959eaa0f0da4dc2a48f92ea25/javav2/example_code/iam/src/main/java/com/example/iam/DeleteServerCertificate.java)。
## 其他資訊
+ 《 IAM 使用者指南[》中的使用伺服器憑證](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html)
+ IAM API 參考中的 [GetServerCertificate](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServerCertificate.html)
+ IAM API 參考中的 [ListServerCertificates](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListServerCertificates.html)
+ IAM API 參考中的 [UpdateServerCertificate](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateServerCertificate.html)
+ IAM API 參考中的 [DeleteServerCertificate](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteServerCertificate.html)
+ [AWS Certificate Manager 使用者指南](https://docs.aws.amazon.com/acm/latest/userguide/)